Home / ubuntu / Questions / 745492
Accepted
hsivonen
Asked: 2016-03-14 06:33:10 +0800 CST

How to set up Ubuntu Server as a wireless + ethernet router with IPv4 and IPv6

  • 772

I have a computer running Ubuntu Server (14.04 but I want to upgrade to 16.04 when it becomes available) with two Ethernet interfaces and one WiFi interface.

The interfaces are:

  • Ethernet towards WAN: p2p1

  • Ethernet towards LAN: eth0

  • WiFi towards LAN: wlan0 (Intel Corporation Wireless 7260, driver: iwlwifi)

I'd like to do the following:

  • Set up wlan0 in the access point mode with WPA2 encryption in the 802.11 b/g/n mode. (I don't mind enabling 802.11a, too, but I don't need it. I need 802.11n and b/g legacy.)

  • Bridge wlan0 and eth0 together as br0.

  • Use DHCP to configure an IPv4 address for p2p1.

  • Set up a DHCP server to assign private IPv4 addresses to hosts connected to br0.

  • Set up NAT between br0 and p2p1 for IPv4 traffic.

  • Use DHCPv6 to fetch an IPv6 prefix for p2p1.

  • Set up router advertisement to assign IPv6 addresses under the prefix to hosts connected to br0.

  • Route IPv6 traffic between p2p1 and br0.

  • Set up a caching DNS server and advertise it as the DNS server to hosts on br0 (but block queries from p2p1).

  • Set up firewall rules that block all CIFS/SMB, possibily other insecure Windows traffic and CUPS printing between the br0 LAN and the p2p1 WAN.

  • Set up whatever other firewall rules are considered best practice while not preventing efficient Skype, WebRTC and push notification traffic between WAN and the hosts on the br0 network.

This should be a basic "turn an Ubuntu box into an IPv4+IPv6 home router" kind of thing. I've done a lot of searching already, but I've failed to find a guide that matches my needs. In particular, I have trouble finding guidance for setting up iwlwifi-based wlan0 with WPA2 in the AP mode and then using that as part of a brige interface. (I found guides that talk about WEP or of using wlan0 as the WAN interface that connects to an AP as a client or explicitly using Atheros drivers as opposed to iwlwifi.) Also, I have trouble finding guidance for the IPv6 part. Superficially, it looks like some combination of bridge-utils, hostapd and dnsmasq could address all of the above. Maybe.

Any pointers to a guide that already covers this or other advice on how to proceed?

networking

1 Answers

  1. Best Answer

    The significant bit was locating a tutorial for fetching the IPv6 prefix.

    Other than that, the comments in the default config files and the obviously-discoverable tutorials for bridge-utils, hostapd and dnsmasq worked.

    With ufw the key thing was to use the route keyword in rules that apply to traffic that doesn't terminate on the router computer itself.

    (I used AppArmor to confine wide-dhcpv6-client, dnsmasq and hostapd by following the guidance for aa-logprof on the community wiki.)

    • 1